Analysing the traffic of a Tor exit node with Intrusion Detection Systems

Protecting our internet anonymity is becoming more difficult today. Many company giants and national security agencies collect data about us. In order to prevent this investigation, people use privacy-enhancing technologies. Tor is one of the most widely used Privacy-enhancing technology, which is encrypting the traffic in the tor’s network. The network traffic exits at a random exit node, probably in a different country to provide the untraceability of the user. However this is an efficient way to hide the attackers’ identity as well, makes it possible to carry out malicious activities using the IP address of the exit node as a source.

The first option to detect the malicious traffic is the Tor exit node. At this point an installed intrusion detection system can analyze non encrypted packets and generate alarms.

In my thesis I will examine that how suitable the investigation of a Tor exit node’s traffic with IDS engines is for the detection of conventional attack’s network traffic. Conventional attacks are SQL injections, password brute force attacks, use of exploits, network mapping, Shellcode running and CNC server communication. I have built a test environment to initiate attacks through the observed exit node to a target machine which I operate. With the help of the developed environment I am able to measure the performance of the IDS engines and analyze the fired alarms.

Furthermore, I designed an architecture, which is able to filter the malicious traffic with signature based IPS functionality of the tested IDS engine.